URL Malware, Constant Threat Detections

I’ve been trying to fix a laptop for a friend, exhausting all options before formatting and starting over. Though it boots normally (though somewhat slow) and seems to be running fine, it’s been getting constant (between 9-13 every 5 minutes) URL Malware threat detections in Avast! from various domains. I’m not sure how long it’s been doing this since it was used in silent mode until I turned it off so I could see if there were any detections.

I’ve attached the logs from FRST64. The FRST64 download from bleepingcomputer.com wouldn’t work, and an error came up stating it wasn’t a valid application. I got another copy from majorgeeks.com and that one worked but it said the database was too old and needed an update – it then failed to update. So these results are from the non-updated version. I’m not sure if they’ll be useful.

I tried to run aswMBR but it failed to complete several times, getting hung up on a java file on one attempt and a video file on another before crashing.

That version is too old, I have uploaded the latest to my dropbox for you. You will need to temporarily disable the Avast shields to download it

https://dl.dropboxusercontent.com/u/73555776/FRST64.exe

Getting a 404 error when following that link (on another laptop also). Any other place I could download an updated version?

404 for me also

Try again as I inadvertently deleted it :-[

Thanks, attached the logs. I did another scan last night and Avast found 81 infected files. It did a boot scan after and only found 1 (a file tdsskiller had in quarantine). Still having problems with the threat detections, unfortunately (stuff like threat html frame-inf, swf malware-gen trj, js:agent-dcu expl, jus:includer-bfg trj, win32:viknok-r trj was found in the scan before boot).

It appears that the rcpss file has been patched. What file did TDSSKiller quarantine ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (No File) Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (No File) SearchScopes: HKCU - DefaultScope {A1BB74CE-BEDE-4439-B996-2F0AD02E69A7} URL = Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKCU - No Name - {434D472D-5637-006A-76A7-7A786E7484D7} - No File FF Plugin: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll No File FF Plugin-x32: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll No File CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-07-22] CHR HKLM-x32\...\Chrome\Extension: [kpfhgnebikhafakgnbbdnpjigaohhgnh] - C:\Users\reche\AppData\Roaming\PC-Gizmos\\Chrome_Extension.crx [2012-12-18] Task: {11CCEBC1-450C-451D-8650-6F0946747E9D} - System32\Tasks\Test TimeTrigger => C:\Users\reche\AppData\Local\Temp\Runner.exe <==== ATTENTION CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Not sure about the actual file, but this is what the TDSSKiller log had for detections:

18:11:38.0321 8864 Actual detected object count: 1
18:11:50.0091 8864 \Device\Harddisk0\DR0\Partition1 - copied to quarantine
18:11:50.0101 8864 \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - will be cured on reboot
18:11:50.0101 8864 \Device\Harddisk0\DR0\Partition1 - ok
18:11:50.0101 8864 \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - User select action: Cure

That was back in February 2013.

I was able to do the FRST fixlist but it gave me a few errors before actually doing it (something about application errors for various .dll files). It gave me about three of those errors before it proceeded with the fix. I’ve attached the resulting log.

I then downloaded ComboFix to the desktop and launched it. It brought up the window and seemed to be working. Then it just disappeared and nothing happened for almost 10 minutes. I got a bit nervous since I had to disable shields to run it and didn’t want to get infected with something, so I rebooted on my own and didn’t try to run it again (as advised in your post). It added some folders to my C:\ drive with an unusual icon but no Combofix.txt.

The threat detections haven’t stopped, unfortunately.

OK I thought that TDSSKiller was recent

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

That might have done it. It’s been around 10 minutes with no threat detections from weird domains. I’ve attached two logs (not sure which log is the one you needed, but those were the two generated today). I also ran another scan using TDSSKiller after reboot and it came up clean.

Anything else I should do to ensure it’s clean? Thanks for all of your help so far.

C:\Windows\system32\rpcss.dll - will be cured on reboot
There we go, any further problems

No further problems, boot up time is much faster and no threat detections from Avast!

Thanks for all the help. :slight_smile:

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: